Cloud computing is gaining increasing momentum as more and more services are being migrated into the cloud. As part of the process of migrating an application or a web service into the cloud, an authorization layer is normally added to mediate access to the service.
In many cases this layer uses fine-grained identity information about the user (contrary to coarse identifiers, such as the user's role) for making authorization decisions.
The entire system, including the original business logic and the added authorization layer, may be committed to service-level agreements in terms of response time. For example, if a customer is soliciting the help of a web service residing on the cloud, then that customer would like to guarantee a response time of up to X seconds to an arbitrary request.
The challenge this scenario brings forward is that while the business logic typically undergoes extensive performance testing via unit tests, integration tests, and quality assurance teams, the entire system including both the original business logic and the new authorization layer built on top of it, is hard to test.
The reason for this is the necessity to supply the identity information. In many cases different identities lead an execution flow of the code to different branches that might:
(i) make calls to external entities for special authentication requests (in federated environments the authentication is done by the external entity which has the trust relationship with the cloud authentication service);
(ii) access back-end databases to correlate and validate user-provided information;
(iii) perform CPU-intensive processing of incoming data, such as encryption and decryption of parts of it.
The problem here is to find those identities which are going to produce meaningful results. Sometimes, a worst case scenario that can be used for evaluating service level agreements is interesting and, sometimes, it is interesting to see whether a particular property has an impact on performance and to test the service with various values for those properties.
Therefore, there is a need in the art to address the aforementioned problems.
Although this problem particularly arises with the identity management technologies required in cloud computing, it also applies to non-cloud web services and web application which use identity frameworks.